Risk-based approach and overall risk assessment: Comments and recommendations by the NBB
The requirement to adopt a risk-based approach for the prevention of ML/FT, the basis of which is laid down in Article 7 of the Anti-Money Laundering Law, is one of the key elements in the FATF Recommendations as revised in 2012 and in Directive 2015/849. At the Belgian level, this requirement has inter alia resulted, with regard to the preventive measures to be implemented by obliged entities, in the obligation to perform a dual risk assessment, namely:
- an overall assessment of the risks to which they are exposed, in accordance with the provisions of Articles 16 and 17 of the Anti-Money Laundering Law on the one hand, and of Title 2 of the Anti-Money Laundering Regulation of the NBB on the other hand (see below);
- an assessment of the risks associated with each customer (see the page “Individual risk assessment”).
Article 16 of the Anti-Money Laundering Law requires the obliged entities to take measures that are appropriate and commensurate with their nature and their size to identify and assess the ML/FT risks to which they are exposed. In doing so, they should take into account the characteristics of their customers, the products, services or transactions offered, the countries or geographical areas concerned and the distribution channels used.
The overall risk assessment (or business-wide risk assessment) to be carried out by the financial institutions should enable them to identify the inherent ML/FT risks to which their business exposes them and to manage these risks in an appropriate manner or, where necessary, to mitigate them. The risk-based approach also allows institutions to take less far-reaching measures in situations which present a low ML/FT risk, and to use the resources thus freed for the compulsory application of enhanced measures in situations where the risks are higher. Thus, the allocation of available resources can be optimised.
As the overall risk assessment should enable the financial institution to ensure that its policies, procedures and internal control measures and, in general, its organisation, are appropriate and sufficiently granular to address the generic ML/FT risks to which its business exposes it, this overall risk assessment is clearly different from the individual risk assessment carried out in accordance with Article 19 of the Law in order to decide, on a case-by-case basis, taking adequate account of the possible specificities of each individual case, on the intensity of the due diligence measures to be applied or, where appropriate, to refuse to enter into the business relationship or to carry out the proposed occasional transaction.
It also follows from the above that an appropriate risk-based approach starts with acquiring thorough and up-to-date knowledge of the ML/FT risks to which the institution is exposed and understanding these risks.
In accordance with Article 3, 3°, of the Anti-Money Laundering Regulation of the NBB, the overall risk assessment should cover all activities of the financial institution established in Belgium which is subject to the ML/FT legislation, including its cross-border activities conducted under the freedom to provide services in another Member State or in a third country. If the institution operates through a group, Article 6 of the Anti-Money Laundering Regulation of the NBB stipulates that all its branches and subsidiaries should submit their overall risk assessment to the institution, so that the latter can take it into account when determining the general risk policy at the level of the group. In this context, payment institutions and electronic money institutions must also ensure that an overall risk assessment is carried out of the ML/FT risks associated with the activities conducted by them in another Member State or third country through one or more persons established in that member state or third country and representing the institution concerned (e.g. network of agents, etc.).
As far as relevant for their sector, financial institutions should take into account at least the following elements in their overall risk assessment (see the reference documents mentioned above):
- the variables set out in Annex I of the Anti-Money Laundering Law;
- the factors that are indicative of a potentially higher risk, as referred to in Annex III of the same Law;
- ESAs Joint Opinion on the risks of money laundering and terrorist financing affecting the Union’s financial sector, issued pursuant to Article 6(5) of Directive 2015/849, and the guidelines published by the ESAs on the factors that are indicative of a lower risk (pursuant to Article 17 of the Directive) and the factors that are indicative of a higher risk (pursuant to Article 18(4) of the Directive) (“ESAs Risk Factor Guidelines dated 4 January 2018”);
- the relevant conclusions of the report drawn up by the European Commission pursuant to Article 6 of Directive 2015/849 (“Report from the Commission to the European Parliament and the Council dated 24 July 2019 on the assessment of the risks of money laundering and terrorist financing affecting the internal market and relating to cross-border activities”);
- the report drawn up by the coordinating bodies pursuant to Article 68 of the Anti-Money Laundering Law, each in its own ambit;
- the sectoral assessment of the money laundering risks in the Belgian financial sector subject to the supervisory authority of the National Bank of Belgium, and
- all other relevant information at their disposal.
In addition, the Anti-Money Laundering Law also provides the possibility to take account in the aforementioned assessment of the factors listed in its Annex II (potentially lower risk).
The overall ML/FT risk assessment should be carried out under the responsibility of the AMLCO (see the page “Governance”) and approved by the senior management (Article 3, 1°, of the Anti-Money Laundering Regulation of the NBB).
Article 17 of the Anti-Money Laundering Law also provides that the overall risk assessment should be documented, updated and kept at the disposal of the NBB. In this respect, financial institutions should be able to demonstrate to the NBB that the policies, procedures and internal control measures developed by them in accordance with Article 8 of the Law, including, where appropriate, their customer acceptance policies (see the page “Policies, procedures, processes and internal control measures”), are appropriate in view of the ML/FT risks they have identified. Updating the overall risk assessment implies, where appropriate, also updating the individual risk assessments referred to in Article 19, § 2, first paragraph of the Law (see the page “Individual risk assessment”).
Finally, it should be noted that the overall risk assessment to be carried out by the financial institutions under Article 16 of the Anti-Money Laundering Law is not a one-off exercise but a continuous process. This risk assessment - and, where appropriate, also the individual risk assessment - should be updated whenever one or more events occur that could have a significant impact on the risks (see Article 3, 3°, of the Anti-Money Laundering Regulation of the NBB and point 3.4 below).
As mentioned above, the overall risk assessment should be presented in a written document (in paper or electronic form) that is kept available to the NBB (see Article 17 of the Anti-Money Laundering Law). This document should also contain a description of the process used to perform the overall risk assessment, including:
the methodology used to perform the overall risk assessment, which is expected to include at least the key elements referred to in point 3 below;
the manner in which this process has been integrated into the institution’s broader risk management system and in its corporate governance, including the manner in which the group dimension, if any, has been incorporated in the assessment;
a description of the procedures for monitoring and timely updating the risk assessment process in order to ensure its permanent accuracy;
a description of the extent to which the AMLCO, the compliance officer, senior management, and any other parties have been involved in the identification and analysis of the risks, the development of the actual risk assessment and any related measures, or the acknowledgement and validation of the process as a whole.
The overall risk assessment should be carried out in three successive phases:
identification and analysis of risks associated with money laundering and terrorist financing and compliance with the rules on international sanctions, embargoes and other restrictive measures, to which the institution is exposed (“risk identification phase”);
analysis and assessment of the adequacy of the existing relevant risk management measures (“gap analysis”);
if necessary, taking new or additional risk management measures to control the risks that are not or not adequately covered (“adjustment phase”).
The way in which the institution applies and implements this process, as well as the degree of granularity, must be proportionate to its nature and size.
In its Communication NBB_2020_002 of 23 January 2020 containing the conclusions of the horizontal analysis of a sample of summary tables of the overall assessment of the risks of money laundering and/or terrorist financing, the NBB emphasises the importance of following the different steps of the overall risk assessment in methodological order. In this Communication, the NBB also includes findings related to these different steps of the overall risk assessment process, in methodological order.
3.1 Risk identification phase
3.1.1. Risk classes – Subcategories
As mentioned above, a good overall risk assessment requires, in the first instance, a thorough knowledge and understanding of all ML/FT risks to which the institution is exposed. The institution will therefore have to identify all relevant ML/FT risks and to classify them into categories and subcategories, based on one or more of the characteristics defined in Article 16 of the Anti-Money Laundering Law. Besides the characteristics referred to in Article 16, the institution should also take into account any other additional characteristics that might apply to its specific situation, such as specific risks that might arise from intra-bank relationships with other group entities, risks associated with activities conducted on the institution’s own account (for example, the dealing room), etc.
For examples of good practices encountered by the NBB during its horizontal analysis of a sample of summary tables of the overall risk assessment, see Communication NBB_2020_002 (in particular point IV.a).
3.1.2. Risk exposure
Once the institution has identified and classified the various risks, it must assess the inherent risk by combining the probability of the risk occurring with the impact of any such materialisation of the risk, taking into account the activity effectively performed. In doing so, the institution should take into account the minimum variables and factors referred to in point 1 above, and any other variables and factors that might be appropriate to its specific situation.
The NBB does not prescribe the values or units to be used by the financial institution, the main objective being that the financial institution (and the NBB) can obtain a coherent and comprehensible view of its risk exposure. This should enable the financial institution to then define risk management measures in accordance with the risk appetite determined by its board of directors. In all cases, the NBB would like it to be clear from the documentation on the overall risk assessment process how the probability of the risk occurring and the impact of any such materialisation of the risk are scored.
With regard to the probability of risk occurrence, financial institutions should take care not to underestimate their risks. For example, a credit institution can have few customers who are politically exposed persons in its customer base in absolute terms, but this number can nevertheless represent a substantial percentage of its total customer base.
For more information on this subject, see Communication NBB_2020_002 (in particular point IV.b).
3.2 Gap analysis
3.2.1. Existing risk management measures
In a second phase, the institution should make an inventory of the risk management measures it already applies to manage or limit the various risks identified. This inventory of the risk management measures (which cover all due diligence and reporting obligations and can therefore relate to one or more of the following elements: the identification and verification obligation, the obligation of due diligence on business relationships and occasional transactions, the analysis of atypical transactions and the reporting of suspicions and additional information to the CTIF/CFI) should also include compliance with the legal framework laid down in the Anti-Money Laundering Law and Regulation of the NBB (i.e. control of the compliance risk, see in particular Article 8 of the Anti-Money Laundering Law and the page “Governance” ).
3.2.2. Adequacy of risk management
Next, the institution must subject these internal procedures and controls to a critical examination, either to conclude that they are sufficient in view of the inherent risks detected or to identify the (potentially substantial) improvements to be made in order to effectively reduce the risks (mitigation and question of residual risk). In doing so, account must also be taken of the way in which these risk management measures are actually applied and observed in practice. Furthermore, the institution should also consider, inter alia, the risk management measures that are recommended in:
- the opinion on the ML/FT risks affecting the Union’s financial sector issued by the ESAs under Article 6(5) of Directive 2015/849, and the ESAs Risk Factor Guidelines;
- the report drawn up by the European Commission pursuant to Article 6 of Directive 2015/849;
- the report drawn up by the coordinating bodies pursuant to Article 68 of the Anti-Money Laundering Law;
- any other relevant best practices in this area (for example, guidelines issued by the sector, the FATF, the Basel Committee, etc.).
For more information on this subject, see Communication NBB_2020_002 (in particular point V).
3.3 Adjustment phase (action plan)
If, at the end of the second phase, the existing risk management measures appear to be insufficient, financial institutions should define new or additional measures to adequately manage or mitigate the risk. The action plan should be sufficiently ambitious in providing timely and appropriate solutions for the weaknesses identified (regardless of whether this involves introducing a new procedure or reviewing the automated transaction monitoring system). When establishing this action plan, it may therefore be appropriate to prioritise actions based on the impact of the identified gaps on the overall efficiency of the AML/CFT mechanisms implemented, especially if the plan comprises a large number of new measures to be introduced.
Finally, the financial institutions should ensure the overall coherence of the action plan: for instance, financial institutions will logically be required to provide for more (substantial) actions with regard to the activities or risk factors for which the residual risk was assessed as high during gap analysis phase than for the activities or risk factors for which the residual risk was assessed as low.
3.4 Process timetable and update of the overall risk assessment
All corrective measures necessary in light of the first global risk assessment performed following the entry into force of the Anti-Money Laundering Law should be implemented by 1 July 2019 at the latest. Institutions that consider themselves unable to implement certain remedial measures within that period, must submit a duly reasoned request for postponement to the NBB by 31 May 2019 at the latest. In such cases, the NBB may - depending on the actual circumstances and insofar as justified in view of the risk - decide to extend the remediation period until 1 January 2020 at the latest.
Additionally, Article 17 of the Anti-Money Laundering Law requires the overall risk assessment to be updated. In this context, the NBB takes this obligation to mean that financial institutions should repeat the process described above
- whenever significant events occur, either internally or in their environment, that could significantly modify the nature and the scale of the ML/FT risks or their assessment. These changes could for instance be the result of a decision to develop and offer new products or services, to target new categories of customers, to use new distribution channels or tools or new customer identification and identity verification techniques, to expand their activities in other countries under the freedom to provide services, etc. Examples of external events that could have considerable consequences for the risks or their assessment are significant changes in the legal and regulatory framework of the country concerned or of other countries that are important for the activities carried out, major changes in the socio-economic context, the emergence of new forms of crime or the disclosure of new ML/FT classifications and techniques, etc.
- if, after verification of the effects of the risk reduction measures (mitigation) that are already in place and/or are taken in the context of the overall risk assessment action plan, it appears that these measures are not (sufficiently) effective or efficient and, as a result, other measures seem to be necessary.
However, the nature and scale of the risks could also be changed significantly by slower and more gradual developments both within the financial institution and in its environment. As a result, the NBB considers that, even if no significant events as described above occur, each financial institution should periodically ensure that the quantitative and qualitative information on which its latest overall ML/FT risk assessment was based, has not changed in such a manner that this assessment, which is the cornerstone of its current organisation, policies, procedures and internal controls, is no longer relevant. The NBB considers that, in general, the relevance of the overall risk assessment should be reviewed annually. If the internal procedures provide for a lower frequency, the financial institution should be able to justify this decision in the light of the principle of proportionality, taking into account its nature and size, on the one hand, and in the light of the likely stability of the general risk level it identified earlier.
If it appears necessary to update the overall risk assessment, this should be done as soon as possible by completing the three phases described in points 3.1 to 3.3 above, in such a manner that any corrective measures needed to reduce new identified risks are implemented within a reasonable timeframe, taking into account the severity of these new risks. Depending on the circumstances, this update could be required for the entire overall risk assessment or only for those parts of it for which the risk level might have fluctuated significantly.
4. Communication to the NBB
Article 17 of the Anti-Money Laundering Law stipulates that the overall risk assessment must be documented, updated and made available to the NBB.
The documents to be completed and submitted to the NBB in this context as well as the submission method are published on the page “Reporting by financial institutions”.
The NBB expects future updates to the overall risk assessment to be mentioned and sufficiently clarified in the activity report of the AMLCO, and to be provided with updated versions of the aforementioned documents (taking into account the content of Communication NBB_2020_002).